GlobalProtect

In investigating issues with users on GlobalProtect VPN not being able to connect to Citrix VDA servers I bumped into this forum post. In investigating I first disabled the Packet Based Attack Protection > IP Drop > Fragmented traffic at Network > Network Profiles > Zone Protection > Profiles for GlobalProtect and the zone hosting the Citrix application.

While this didn’t solve the issue performing a packet capture of the client attempting to connect to the host did now populate the ‘drop’ capture with Fragmented IP protocol traffic as shown in the screenshot below.

This confirmed that the issue was MTU related and backed up the mention in the forum post about changing the MTU size in the ICA file that is pushed to the client.

Following this article How to configure MSS when using EDT on networks with non-standard MTU with the MTU set to 1384 allowed the connection to go through as expected, the IP Drop for Fragmented traffic was re-enabled and the client continued to be able to connect as expected.


When setting up a GlobalProtect Portal/Gateway with AzureAD you may find you receive the error message:

AADSTS700016: Application with identifier <Entity ID> was not found in the directory ‘<Directory ID>’.

The fix here is easy – the GlobalProtect client injects a :443 at the end of the domain name which isn’t mentioned in the guide from Microsoft (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial) but is in the guide from Palo Alto Networks (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE).

Interestingly the Reply URL doesn’t specifically require it (although mentioned in the Palo Alto guide) but either way easy to fix.